At the end of 2019, the New York State Court of Appeals provided some clarification on how medical providers should respond to subpoenas for patients’ medical records. Many questions linger; however, the Court held that the written patient authorization and the bold-faced warning requirements of Civil Practice Law and Rules 3122 (“CPLR 3122”) do not apply to subpoenas issued outside discovery. Subpoenas issued outside the scope of discovery include those issued by a government agency or official duly exercising investigatory authority granted by statute.

This decision is elucidating, but it reduces the number of defenses a medical provider may rely upon when resisting a subpoena. Many legal questions also remain. While it was not the Court’s aim, the decision does little to simplify the analysis for medical providers when deciding whether they legally may or should comply with a subpoena, and how to comply. The decision also leaves open questions about whether pre-suit disclosure, which can be obtained by parties to aid in bringing an action or to preserve information, will require a written patient authorization, and whether an agency may avoid the requirements of CPLR 3122 during a lawsuit or legal proceeding by purporting to issue a subpoena under its investigatory powers.

The Court’s decision implicitly reaffirms that medical providers need not respond to, or even object to, subpoenas subject to CPLR 3122 that fail to meet the CPLR 3122 authorization requirement. Relying on that rule and ignoring a subpoena, however, remains fraught. Medical providers should consult legal counsel to determine whether the other requirements of a valid subpoena are present and to determine whether this rule is determinative in any circumstance. Real life rarely follows the text of the rule neatly and cleanly.

Medical providers should still respond carefully to any subpoena, especially if, like most medical providers, they are subject to the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). The medical provider should still evaluate whether it may legally comply under HIPAA and what additional requirements may apply. Considerations under HIPAA include how to document the disclosure and whether the medical provider must notify the patient or ensure the patient is given an opportunity to object to the disclosure. Lastly, if disclosure is made, the medical provider still must comply with the minimum necessary requirement under HIPAA.

Responding to subpoenas for medical providers is a complex issue, riddled with potential issues and liability. An experienced attorney can clarify the issues quickly, guide you through the process, and ensure that your response is compliant.